Burr And Feinstein Release Their Anti-Encryption Bill... And It's More Ridiculous Than Expected

from the are-they-serious? dept

They've been threatening this for months now, but Senators Richard Burr and Dianne Feinstein have finally released a "discussion draft" of their legislation to require backdoors in any encryption... and it's even more ridiculous than originally expected. Yesterday, we noted that the White House had decided to neither endorse nor oppose the bill, raising at least some questions about whether or not it would actually be released. Previously, Feinstein had said she was waiting for the White House's approval -- but apparently she and Burr decided that a lack of opposition was enough.

The basics of the bill are exactly what you'd expect. It says that any "device manufacturer, software manufacturer, electronic communication service, remote computing service, provider of wire or electronic or any person who provides a product or method to facilitate communication or the processing or storage of data" must respond to legal orders demanding access to said information. First off, this actually covers a hell of a lot more than was originally expected. By my reading, anyone providing PGP email is breaking the law -- because it's not just about device encryption, but encryption of communications in transit as well. I wonder how they expect to put that genie back in the bottle.

But, let's dig into a few other bits of insanity in the bill. It starts out with an insane assertion, right upfront:

What an absurd way to start the bill. As we've discussed over and over again, despite FBI director James Comey's statements, no one is claiming to be "above the law" here. When they offer end-to-end encryption they're not "above the law," they're just building a system to which they don't have the key. That's like saying that the safe maker who doesn't keep copies of the keys to every safe they sell is above the law. But no one requires safemakers to keep copies of every key.

Next, the claim that economic growth, prosperity, security, stability and liberty somehow depend on all of this is ridiculous. The second this bill becomes law, the US loses a massive economic advantage. Basically all of our technology becomes suspect globally, and the entire cybersecurity industry moves off shore. It will devastate American businesses outside of the US. Burr and Feinstein are basically offering a bill that completely undermines the economic prosperity of the American tech industry. This is especially insane coming from Feinstein, given that she supposedly represents so many tech companies in California.

all providers of communications services and products (including software) should protect the privacy of United States persons through implementation of appropriate data security and still respect the rule of law and comply with all legal requirements and court orders;

And they do... when they can. But what this bill requires is for tech companies to undermine the basics of encryption to make everyone less safe. This is not about disrespecting the rule of law, but about building systems as secure as possible to protect people from malicious attacks. You know, the very kinds of attacks that Senators Burr and Feinstein kept screaming about just months ago when they were demanding a bogus cybersecurity (really: surveillance) bill get passed by Congress. And yet now they want to undermine the very core concept of cybersecurity in the US.

to uphold both the rule of law and protect the interests and security of the United States, all persons receiving an authorized judicial order for information or data must provide, in a timely manner, responsive, intelligible information or data, or appropriate technical assistance to obtain such information or data;

And if that's literally impossible, as is the case with strong encryption or end-to-end encryption?

Let's be clear, here. This bill makes effective cybersecurity illegal. Think about that for a second. This is insane.

Then there's this kicker:

Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.

Yeah, except for the entire bill which absolutely prohibits the kind of design that basically all security experts say you need to adequately protect data and communications.

There are lots of other issues as well. As Jonathan Zdziarski notes, the bill is so ridiculously drafted that it doesn't distinguish between encrypted data and deleted data. Thus, if someone deletes all their data, companies are still on the hook to magically get it back. It also requires that any information that is requested be delivered "in an intelligible format." But what if the information itself is not intelligible? What if, prior to encrypting the data through technological means, the people doing the communications used some sort of cypher or code themselves to further obfuscate the information?

The whole thing is a mess and provides much more evidence for the fact that Feinstein and Burr have absolutely no clue what they're talking about on this particular issue. Of course, there are lots of clueless people, but it's pretty disturbing that these two particularly clueless people happen to be the highest ranking members on the Senate Intelligence Committee. Perhaps, like some others, they should talk to actual intelligence community professionals, who have also been arguing that backdooring encryption is a bad idea and puts Americans at much greater risk of being victims of computer attacks.